Babel: Jailbreaking Safety Attention via Obfuscation Distribution Optimized Sampling

TL;DR

This paper introduces Babel, a novel black-box attack method that exploits safety gaps in LLMs through systematic obfuscation sampling, significantly improving jailbreak success rates and query efficiency.

Contribution

Babel is a new, efficient framework that leverages a mathematical model of safety vulnerabilities to perform high-success jailbreak attacks without internal model access.

Findings

Babel achieves up to 82.67% success rate on GPT-4o.

Babel outperforms existing methods in query efficiency.

It provides a robust red-teaming tool for LLM safety evaluation.

Abstract

Despite rigorous safety alignment, Large Language Models (LLMs) remain vulnerable to jailbreak attacks. Existing black-box methods often rely on heuristic templates or exhaustive trials, lacking mechanistic interpretability and query efficiency. In this study, we investigate an intrinsic vulnerability in the safety mechanisms of LLMs, where safety alignment relies on a small set of sparsely distributed attention heads, leaving much of the representational space weakly monitored. We formalize this phenomenon with a mathematical jailbreaking model that characterizes the delicate boundary of effective text obfuscation and analytically explains observed jailbreak behaviors. Guided by this model, we propose Babel, an efficient black-box attack framework that exploits the identified safety gap through systematic obfuscation sampling with iterative, feedback-driven distribution refinement, enabling reliable and high-success jailbreak attacks without access to model internals. Comprehensive evaluations on frontier commercial models demonstrate that Babel achieves state-of-the-art attack success rates and superior query efficiency. Specifically, compared to state-of-the-art methods, Babel increases the attack success rate on GPT-4o from 41.33% to 82.67% and on Claude-3-5-haiku from 38.33% to 78.33% within an average of 40 queries, providing a robust red-teaming methodology for LLMs safety research.